CVE-2019-14262
Stack consumption vulnerability in MetadataExtractor (NuGet)
What is CVE-2019-14262 About?
MetadataExtractor version 2.1.0 is vulnerable to a stack consumption attack, which can lead to a denial of service condition. This vulnerability can be triggered by processing maliciously crafted input, causing the application to exhaust its call stack. Exploitation requires providing specifically designed input to the library.
Affected Software
Technical Details
The vulnerability in MetadataExtractor 2.1.0 stems from unbounded recursion or excessive stack usage when processing certain types of metadata. A specially crafted input file, such as an image or document containing deeply nested or malformed metadata structures, can cause the library's parsing functions to make an excessive number of recursive calls or allocate large amounts of data on the call stack. This continuous stack allocation without proper depth limits eventually exhausts the available stack memory, leading to a stack overflow and subsequent application crash, effectively causing a denial of service.
What is the Impact of CVE-2019-14262?
Successful exploitation may allow attackers to cause a denial-of-service condition by crashing the application, rendering it unavailable.
What is the Exploitability of CVE-2019-14262?
Exploiting this stack consumption vulnerability requires an attacker to provide a specially crafted input file (e.g., an image with malicious metadata) that is then processed by MetadataExtractor 2.1.0. The attack can be local if the application processes untrusted files from local storage, or remote if the application processes untrusted files downloaded from external sources. No authentication or special privileges are needed to trigger the vulnerability once the malicious input is processed. The prerequisite is that the application uses MetadataExtractor to parse metadata from untrusted files. There are no notable special conditions or constraints other than the requirement for a specific input structure. Risk factors include applications that expose themselves to untrusted file uploads or downloads that are subsequently parsed by the vulnerable library.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-14262?
Available Upgrade Options
- MetadataExtractor
- <2.2.0 → Upgrade to 2.2.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2019-14262
- https://github.com/drewnoakes/metadata-extractor-dotnet/pull/190
- https://osv.dev/vulnerability/GHSA-cwqq-w8c3-r2jw
- https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E
- https://github.com/drewnoakes/metadata-extractor-dotnet/pull/190
- https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E
What are Similar Vulnerabilities to CVE-2019-14262?
Similar Vulnerabilities: CVE-2023-28491 , CVE-2023-28490 , CVE-2023-28489 , CVE-2022-26482 , CVE-2021-39537
